Reject project CI jobs on reserved policy stages
What does this MR do and why?
This rejects project CI jobs on reserved policy stages.
When using custom security policy scan jobs we add stages that are reserved for security policy jobs only. To protect those stages we remove any jobs that are added before the custom scan actions get merged with the CI config.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
How to set up and validate locally
- Create a group.
- Go to Settings -> General.
- Toggle the Permissions and group features section.
- Enable Security policy pipeline execution action.
- Create a project
- Add a
.gitlab-ci.ymlfile with content:stages: - .pipeline-policy-test project_job: stage: .pipeline-policy-test script: - echo "Hello World" - Run a pipeline. It should contain the
project_job. - On the left sidebar, select Security & Compliance and Policies.
- Select New Policy.
- Select Scan execution policy.
- Switch to .yaml mode and enter the following policy:
type: scan_execution_policy name: test description: '' enabled: true rules: - type: pipeline branch_type: all actions: - scan: custom ci_configuration: |- policy_job: stage: .pipeline-policy-test script: - echo 'Hello World' - Select Configure with a merge request.
- Go back to the project and run a new pipeline.
- The pipeline should now only contain
policy_job
Related to #440141 (closed)
Edited by Andy Schoenen